Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-38181

withCredentials variables that are extracted are not masked outside of block

XMLWordPrintable

      Problem
      A developer can accidentally unmask the credential to the console if they reference it as a variable outside of the withCredentials block in Pipeline.

      Examples
      The password for testCredentials would be echo to the console without it being masked.

      withCredentials([usernamePassword(credentialsId:'testCredentials', passwordVariable:'PASSWORD', usernameVariable:'USER')]) { 
   echo '${password}' // password is masked
}
echo ${password}' // password is not masked

      Even if we enforced that the password variable should only be used inside the withPassword block, it would still be possible to unmask the password with a Pipeline like the following

      def nicePasswordBro;
withCredentials([usernamePassword(credentialsId:'testCredentials', passwordVariable:'PASSWORD', usernameVariable:'USER')]) { 
   nicePasswordBro = '${password}'
   echo '${password}' // password is masked
}
echo nicePasswordBro // password is not masked

      Original request

      Example pipeline code:

      node {
  def usernameLocal, passwordLocal
  withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: 'simple_creds', passwordVariable: 'PASSWORD', usernameVariable: 'USERNAME']]) {
    echo "echo step - env: ${env.USERNAME} - password through ${env.PASSWORD}"
    sh 'echo "sh step - echo: ${USERNAME} - ${PASSWORD}"'
    usernameLocal = env.USERNAME
    passwordLocal = env.PASSWORD
    echo "echo step (in block) - vars: ${usernameLocal} - ${passwordLocal}"
  }
  echo "echo step (out of block) - vars: ${usernameLocal} - ${passwordLocal}"
}

      Output

      [Pipeline] node
Running on master in /var/jenkins_home/workspace/with-credentials
[Pipeline] {
[Pipeline] withCredentials
[Pipeline] {
[Pipeline] echo
echo step - env: **** - password through ****
[Pipeline] sh
[with-credentials] Running shell script
+ echo sh step - echo: **** - ****
sh step - echo: **** - ****
[Pipeline] echo
echo step (in block) - vars: **** - ****
[Pipeline] }
[Pipeline] // withCredentials
[Pipeline] echo
echo step (out of block) - vars: myusername - mypassword
[Pipeline] }
[Pipeline] // node
[Pipeline] End of Pipeline
Finished: SUCCESS

      Expectations

      I expect that the credentials would still be accessible but would still be masked.

            olamy Olivier Lamy
            mkobit Mike Kobit
            Votes:
            2 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: